ASK THE EXPERT - CISCO WIRELESS CONTROL SYSTEM (WCS)

Unanswered Question
Jan 25th, 2008

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss how to successfully plan, manage and troubleshoot your wireless network using Cisco Wireless Control System (WCS) with Cisco expert Paul Lysander. Paul is a technical marketing engineer with the Wireless Networking Business Unit at Cisco. He was previously a member of Cisco's Access Technology Group product team, managing the Cisco Integrated Services Router platforms.

Remember to use the rating system to let Paul know if you have received an adequate response.

Paul might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 8, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (3 ratings)
Loading.
lysander Mon, 01/28/2008 - 23:56

WCS does not currently provide a way to monitor this information.

Are there any other utilities that are capable of reporting this information?

The release notes from 'Unified Wireless Network' mentions templates that are available to report per-user bandwidth usage. I had hoped that there would also be a report of cumulative bandwidth without using a 3rd party application.

Thanks,

Greg

I appreciate the advice but unfortunately the method 'Monitor->Access Point' only allows 5 APs to be queried at a time. My objective is to generate an automated report of the traffic per SSID from all of the 120 AP's and 4 WISM blades. Management is interested in how much wireless bandwidth is currently being used for Guest access VS Machine Authenticated access. I'm sure that usage by Campus, building and floor would also be useful. At this point it seems that the most likely method to get an aggregate usage trend is to monitor the VLAN trunks on the 6500 chassis.

Thanks,

Greg

Paul,

We are having difficulty adding and refreshing existing controllers (running 4.0.179.11) into the WCS (4.1.91). I have heard various issues related to controller configuration elements (Radius servers, AP Groups, etc.) causing the import process to abort. I have since reinstalled the WCS, and when attempting to add 36 controllers via a CSV file (18 WiSMs), it fails after 2 controllers. Is there anything that can be done to fix this beside clearing the controller configs (not a viable solution)? Should we try to go back to WCS 4.0? Doesn't this go against the principle of upgrading the WCS before upgrading controller code?

Thanks

--Bruce Johnson

lysander Mon, 01/28/2008 - 23:52

There could be something wrong via SNMP credentials or the import file. Please add controllers manually entering required credentials. If we still see an issue after just the first 2 controllers, then it could be an issue with the import file. If that is not the issue, resolving this problem would require more extensive troubleshooting than can be discussed on this forum.

Chin Hoong Yap Sun, 01/27/2008 - 21:25

Hi Paul, I am a WLAN newbie and have a good question. :)

Below is excerpted from Sybex CCNA Study Guide 6th Edition Page 715:

the controller only forwards LWAPP packets coming from an LWAPP-enabled port, which means a switch or router is required to take an LWAPP packet and forward it out as IP data to a non-LWAPP network. A mid-range switch can handle the routing.

Below is excerpted from "Deployment Guide: Cisco Mesh Networking Solution Release 3.2": A switch or router between the Cisco wireless LAN controller and the RAP is required because Cisco wireless LAN controllers do not forward Ethernet traffic coming from an LWAPP-enabled port.

Pay attention to the lines: "forwards LWAPP packets coming from an LWAPP-enabled port", and "do not forward Ethernet traffic coming from an LWAPP-enabled port".

My first question would be what is the definition for "LWAPP-enabled port"? What is it? Where is it? By knowing this, I think I can understand the sentences. :)

Additionally, can someone eleborate more about why switch or routing is required for routing wireless data for me to have better visualization?

I have used Google and Wikipedia but no light. Hope can find some light here. Thanks in advanced. :)

dstiff Fri, 02/01/2008 - 16:45

Unfortunately, the documentation you found is rather confusing. The concept behind LWAPP is really simple.

The AP (standard AP or MESH RAP) talks to the controller via LWAPP. LWAPP is protocol that sits inside of an IP packet. So all you need to worry about is that you have IP connectivity between the AP and the Controller. This can be across router boundries (different subnets) or on the same switch (same VLAN)... When the controller gets the LWAPP packets from the AP, it strips off and processess the LWAPP information and then forwards (if appropriate) the ethernet frames onto the VLAN/Ethernet port connected into the controller..

I hope this helps.

David Stiff

Manager, Technical Marketing

Cisco's Wireless Networking Business Unit

Wires?!? We don't need no stinking wires!

loudo Mon, 01/28/2008 - 02:14

Hi Paul,

We are currently making a unified wlan solution validation on our customer site.

LAP1310AG APs are connected to 3 WLC 4402 managed by a WCS.

2 ACS engine (4.1.1.23) perfome the AAA between the WLCs and the NOVELL Directory Server

The wireless client is using novell client software using 802.1x/PEAP to authenticate via Wireless.

We are facing an authentication issue that seems to be due to a non supported feature on ACS: PEAP and external LDAP DataBase.

1/ The following CCO documents gives notice that the ACS 4.1 can interact with a Novell Directory server when configured on the ACS as a Generic LDAP server:

1.1/ http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/Overvw.html

...

Authentication and User Databases

ACS supports a variety of user databases. It supports the ACS internal database and several external user databases, including:

•Windows User Database

•Generic Lightweight Directory Access Protocol (LDAP)

•Novell NetWare Directory Services (NDS) when used with Generic LDAP

•LEAP Proxy Remote Access Dial-In User Service (RADIUS) servers

•Token servers

•Open Database Connectivity (ODBC)-compliant relational databases (ACS for Windows)

Authentication Protocol-Database Compatibility

...

--

1.2/

http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps5712/ps5338/prod_qas09186a008018e94a.html:

...

Q. What support is there for Lightweight Directory Access Protocol (LDAP)?

A. Support for LDAP on Cisco Secure ACS Solution Engine is identical to support on the Cisco Secure ACS software version. Cisco Secure ACS supports user authentication against records kept in a directory server through LDAP. Cisco Secure ACS supports the most popular directory servers, including Novell and Netscape, through a generic LDAP interface.

...

2/ The following CCO document gives notice that peap is not supported by the ACS when interacting with LDAP server:

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/Overvw.html#wpxref846

--

- Could you please confirm us that the ACS engine 4.1 does not support PEAP (with wireless client) when user database is a external LDAP database?

- Could it be another solution permitting to use PEAP (between wireless client and ACS) and ldap (between ACS and Novell Directory server).

We could also use EAP-TLS as it seems to be supported by the ACS interacting with LDAP. This issue is that we will then need to provision each wireless device with user certificates and as multiple usesr can use a wireless client, it could be quickly the mess to provision...

Many thanks for your help

Regards/Ludovic.

a.hajhamad Mon, 01/28/2008 - 04:51

Hi Paul,

If you don't mind i have a question about WLC.

How can i secure LAP registration to the WLC since any Cisco LAP can register itself with my WLC without any authentication?

Thanks in advance

Abd Alqader

I am also interested in this issue. Currently, Cisco recommends that you have the LWAPs authenticate back to an ACS - adding significant cost in labor and product).

The problem is significant because not only can ANY Cisco LWAP automatically join a WLC by default, but after it joins, it automatically begins transmitting the first eight active SSIDs/WLANs defined in the system. Also, ignoring what we learned in the autonomous days (where the default state of the radios was eventually changed to OFF), the LWAP radio default state is ON after connecting to the controller.

This behavior creates a security issue if certain SSIDs/WLANs carry sensitive data are only intended for specific areas of the building.

Also, the auto-join-and-carry-traffic-by-default behavior means that if a hacker wishes to bypass WLAN security, all they need to do is purchase one Cisco LWAP, put it on the wired network, and sniff unencrypted *data* LWAPP traffic on the *wired* side of the LWAP (since all layer 2 encryption is on the RF side of the LWAP. The LWAP data traffic is not encrypted. Any clients associated with the rogue Cisco LWAP can have their traffic captured - *** with no rogue AP alarms ***

One very simple fix for this problem is to change the Cisco default LWAP radio state for a newly-joined LWAP to be OFF instead of ON. This behavior would then accurately reflect what the sticker on the LWAP box says "Radios are off by default". The admin would then

Or... the Cisco controller could "park" LWAPs that are attempting to join the controller and prevent them from fully joining (i.e.: detect newly-connected LWAPs, but not allow them to pass traffic without administrative authorization).

Paul: Is there anything in the works to address this without having to buy a $12,000 ACS?

John

Some WCS enhancement requests:

1) Could the WCS import a comma-delimited .CSV file which loads the AP Serial Numbers/AP Names into the WCS?

Currently, this process is the most labor-intensive process when configuring the WCS. If this feature is added, then all I would have to do is place the LWAPs on the heat map and use access point templates to make bulk changes to the access points).

If the LWAP is not yet seen by a controller, a placeholder record could be created (similar to what we have today in the WCS when an LWAP is no longer connected to the system) that would store the name of the AP.

2) Currently, there is no way to configure virtual interfaces using a controller template in the WCS. This is conspicuously missing among the list of controller templates. For larger installation, configuring virtual interfaces consistently requires no small effort as each controller must be individually configured with what is often the same set of virtual interfaces.

Is it possible to add new Controller Template for configuring virtual interfaces in the controllers.

The need for this is significant. For example, in order for an LWAP to fail over from one controller (and have it actually permit client traffic), the appropriate virtual interfaces must existing on ALL controllers (Primary, Secondary, and Tertiary) to which the LWAP might connect. In order to ensure consistent configuration among the various controllers, a WCS template that permits groups of virtual interfaces to be applied to a group of controllers would save a tremendous amount of time and reduce user input errors.

3) Is it possible to add new Controller Template to setup Mobility Groups. Currently, this is a manual, controller-by-controller administrative task that must be repeated each time a controller is added (or replaced). Ideally, might even be possible for these templates to be automatically built for each group of controllers that have the same mobility group name.

4) When adding LWAPs to a heatmap, is it possible for the WCS to initially place them in a *column* on the left-hand side of the map (instead of a *row* across the top of the screen)? That way you could actually read the AP name tag. Right now, the name tags get covered up as the APs overlap and it is sometimes impossible to read the AP name tags.

Is anyone else running into these limitations?

- John

lysander Wed, 02/06/2008 - 20:10

Hi John,

1) For importing autonomous AP's into WCS, this is supported in WCS 4.2 (from Configure - -> Access Points --> Add autonomous APs - select the "file" option). LWAPP AP's are not manually imported into WCS as they are auto-discovered when controllers are added to WCS.

The other items/ideas that you have listed sound like good feature requests. Please provide any further input that you have on these feature requests.

Thanks & regards

--Paul

MARK HEUZENROEDER Mon, 02/04/2008 - 19:34

You can tell WLCs to only create LWAPP tunnel to LAP if the LAP ethernet MAC address is in the table you configure in WLC.

MAC address for LAP must be in Primary & Secondary & Tertiary WLC database.

I know it's painful to administer but works fine.

oviosaayeni Tue, 01/29/2008 - 00:11

I want to upgrade 1200 AP IOS software to 1240 IOS but is giving me:UPGRADE ERROR: FILE NOT FOUND,SERVER NOT FOUND OR WRONG FILE FORMAT. What can I do.

Thanks,

1) Are there any plans to improve the Config Groups feature to make it more user friendly, perhaps making it more like the WLC GUI per Controller Group, rather than a 2-column display of raw and abstract config elements, to permit better Controller config containment and configuration checking?

2) Are AP Groups being considered as a more scalable means of applying WLAN override?

lysander Wed, 02/06/2008 - 20:18

Hi Bruce,

We continually look for ways to make WCS more feature rich. We are looking into both of the enhancements that you have described. Would be useful if you could provide further details on how to enhance both the Config Groups and WLAN override features.

Thanks & regards,

--Paul

m-geisler Tue, 01/29/2008 - 19:54

Hello Paul,

We are working with WCS 3.2 and someone changed the password of the superuser account. Is there a way to do password recovery?

Thanks

Mike

epfilis2002 Tue, 01/29/2008 - 20:31

I want to use the WCS to:

1. detect rogue aps

2. assess threat levels and answer the question, "is the rogue on the network?"

I did a test...I turned on RLDP and plugged a rogue cisco fat ap on my wired network. the WCS identified it as on the network.

however, i was told that if I plugged in a Linksys wireless router (NAT on), the WCS will not be able know if the rogue is on the network. Since wireless routers with NAT on are more common threat, can you tell me how to configure WCS to be able to asses the correct threat level of these wireless routers with NAT?

Thanks!

dstiff Fri, 02/01/2008 - 16:34

WCS provides very comprehensive discovery and threat detection of Rogue Access Points. From the scenario you describe the RLDP feature will work for a NATed rouge as well. RLDP does the following: 1) pretends to be a client and tries to connect to the Rogue AP SSID 2) Tries to get an IP address via DHCP, 3) pings it's controller. If it gets a response, it nows the rogue is on the network and will elevate the rogue status to Threat. This works for both NAT and directly L2 connected access points.

This works great for OPEN rouges. If the Rogue AP has some form of encryption, we have a Rogue Detector mode on our APs that will allow the AP to monitor a trunk port and look for ARP requests on the wire. It matches up arping clients to knows wireless rogue clients.

David Stiff

Manager, Technical Marketing

Cisco's Wireless Networking Business Unit

Wires?!? We don't need no stinking wires!

David,

Is there any consideration being given to organizing APs and Controllers in a directory-folder structure rather than templates as a way to better handle configuration elements? The Config Groups feature has some promise in this regard, but it needs to be fleshed out better than its current two-column display of abstract syntax elements.

lysander Wed, 02/06/2008 - 20:24

Hi Bruce,

Templates is the current way that we have of organizing AP's and controllers. Using directory-folder structure is an interesting idea. Any further feedback on what you would like to see would be useful. What is is that you like about the Config Groups feature? What other information would you like to see displayed?

Thanks & regards,

--Paul

There needs to be group-based, user definable structures in the WCS for managing and reporting on site-specific APs and controllers. Rather than having templates that can be applied to all controllers, why not have folders that share common configuration elements? This is functionally similar to the Config Groups feature, but I assume the config elements there are SNMP ASN strings and don't have the necessary human-readable significance they require. If this were the case, the first thing you enter is the user-defined group of devices you want to manipulate (APs or controllers), and within that group manage the relevant configuration elements. This allows for multiplicity of configurations as needed at a more effective level. For example, AP Templates works fine, but it is just too cumbersome when you are dealing with 1000+ APs, and have to select each one manually (even a regex text search feature would be very helpful there). But why not be able to save APs in a container, and apply what you want, or report on what you want, just to/from those APs? I don't want to have to tie these features to having maps configured. I personally would be willing to give up the emulated WLC GUI experience for this capability. Take a look at AirWave. As a multi-vendor wireless management platform, they are forced into this position, and have beneficial aspects like those described.

htsiartas Wed, 01/30/2008 - 06:08

is it a good idea to manage point to point wireless with WCS?

what are the advantages disadvantages?

thanks

h

dstiff Fri, 02/01/2008 - 16:28

WCS can manage our MESH access points (1500 Series and the new 1520). This provides full management of the mesh backhaul in addition to connected clients. We provide full reporting, graphing, client monitoring, troubleshooting and even some interesting new features like Google Earth integration.

htsiartas Sat, 02/02/2008 - 01:22

thanks, but i was refering to the new feature that can manager 1300 p-t-p wireless, previously that was not supported right? so i am asking in a WCS enterpise deployment is it good to manager 1300 p-t-p wireless with WCS? or its better to leave them in autonomous mode?

mikehallevms Wed, 01/30/2008 - 11:01

Paul,

We are constantly seeing Decrypt errors occurring for client using WPA on both 1130AG's and 1242AG's. We are using WPA with TKIP. How do we correct this?

hkubat Wed, 01/30/2008 - 11:16

Paul,

I am trying to upload new code to my 4404 overseas with a server here in the states, as it was taking very long I had to log out of my session to move to another building. Would the tftp of the new code still be working? Note the server 'is not' my laptop. Also if it is still running is therea way for me to tell this?

Thanks

Harry

dstiff Fri, 02/01/2008 - 16:57

As long as the initial copy from your laptop to the WCS server completed the upload process from WCS to the controller will still be operational. You can go back into WCS->Configure Controllers->-[right menu pulldown] for download software

You should see the last status. ie: software download complete

David Stiff

Manager, Technical Marketing

Cisco's Wireless Networking Business Unit

Wires?!? We don't need no stinking wires!

ppellettiere Wed, 01/30/2008 - 13:31

Hi,

I am running WCS 4.2.6 . I want to authenticate to LDAP and bypass my ACS do to bug CSCsl41588. We are using the the Cisco Aironet wireless adapter and the Cisco Secure Client. Can this be done?

Pete

dstiff Fri, 02/01/2008 - 16:25

Pete,

WCS supports Radius, TACACS+ and local users as AAA authenticators for WCS users. Our controllers DO allow direct LDAP authentication (supports AD) for client auth. I just spoke with tour Product Manager for WCS and let him know you are interested in this feature.

David Stiff

Manager, Technical Marketing

Cisco's Wireless Networking Business Unit

Wires?!? We don't need no stinking wires!

luceroc Thu, 01/31/2008 - 10:03

Hello, I am attempting to upgrade about 180 autonomous access points (that have been imported into and "psuedo-managed" by WCS 4.2.62.11. The import was fine and worked out and I can see the AWAPs. I'd like to know how many of the AWAPs I can upgrade at a time. Can you tell me what the best practice is? I assume there's probably some limitation on the TFTP service running on the server but was wondering so I can set the time expectations on the project. I know the standaalone upgrade tool says about 6. Is this the same in the WCS upgrade section? Thanks in advance.

dstiff Fri, 02/01/2008 - 16:55

WCS can upgrade 10 aIOS access points per template push. I recommend you do the upgrade in chunks of 10. The good news is you can re-use the Migration Template in WCS so all you have to each iteration is select with access points to migrate. Best practice is to migrate 'manageable areas' at a time such as floors, 1/2 floors, etc. This makes it easier to track when the upgrade is successful.

David Stiff

Manager, Technical Marketing

Cisco's Wireless Networking Business Unit

Wires?!? We don't need no stinking wires!

lysander Mon, 02/04/2008 - 16:33

Hi Charles,

If by "upgrade" you are referring to converting your AP's from autonomous to LWAPP, WCS 4.2 supports upgrading up to 10 AP's simultaneously. Suggest that you start with upgradng of 5 or 6 AP's concurrently and monitor the upgrade process to see how it responds based on your LAN infrastructure (i.e. packet latency). You can then increment you AP count accordingly.

Regards,

--Paul

mrcleanshaven Thu, 01/31/2008 - 15:54

Hi Paul:

My first visit to this part of Cisco. We recently installed a wireless network at a remote location in tropical Wyoming. The network consists of Aeronet1310 units configured as root bridges(2x) and non-root bridges (6x). We are experiencing difficulties with two locations and are hoping for some advice. The two radios in question are utilizing 15dbi gain parabolic antennas. The signal strength is approximately -70dbm +/-2 and sn is approximately 30dbm +/-2. The problem is periodic and manifests itself as 802.11 disabled and down (on the association page). The problem comes and goes sporadically but is repeatable and can be initiated by connecting to the radio via hard wire and requesting status from another radio on the network. Once the request is made, the radio will immediately lose connectivity (association) and display that the radio is disabled and down. After a short time the radio will re-associate and may or may not retrieve the requested data. Please advise. We have checked all of the parameteres we can logically analyze and have verified that we have a clean line of sight to the root bridge. There may be the potential for fresnel interference due to the ~1.6 miles between radios, but the elevation of the root is substantially above the non-root. Thanks for your help.

Sincerely,

Robert Short

dstiff Fri, 02/01/2008 - 16:52

Robert,

This forum is covering topics on WCS for managing wireless networks. I suggest you contact Cisco TAC for assistance on this one as there are many things to check.

David Stiff

Manager, Technical Marketing

Cisco's Wireless Networking Business Unit

Wires?!? We don't need no stinking wires!

mjohnson0430 Fri, 02/01/2008 - 07:23

Paul

All of our associates we have given laptops with Cisco Aironet 350 series Wireless Lan Adapters installed in them. We have encouraged them to improve efficiency by using them at home. One of my associates had trouble connecting to his wireless router at his home I went to his house and could not connect. I assuming this card recognize WPA protocol. It is not recognizing any wireless networks what am I missing ?

dstiff Fri, 02/01/2008 - 16:50

Yes, this card supports WPA (not WPA2). If the cards works OK at work my guess is a setting problem with the home device. Be sure you have WPA/TKIP enabled on the home router, not just WPA2/AES encryption. I would start troubleshooting by making an OPEN/Broadcast SSID on the home device. Once that is working, setup whatever security is desired. Also, be sure you have a config on the laptop that matches that on the home device.

David Stiff

Manager, Technical Marketing

Cisco's Wireless Networking Business Unit

Wires?!? We don't need no stinking wires!

Actions

This Discussion